Irina Shetukhina <irka@masterhost.ru> writes:
> Hi.
>
> There is acl in slapd.conf:
>
> access to dn.one="ou=personal,ou=groups,o=vega"
> by group/groupOfUniqueNames/uniqueMember="cn=users-admins,ou=groups,o=vega" write
> by group/groupOfUniqueNames/uniqueMember="cn=tree-admins,ou=groups,o=vega" write
> by users read
>
> And when any of the members of "cn=users-admins,ou=groups,o=vega"
> tries to add a new object, he's got an error:
> no write access to parent
>
> But he can modify exiting object without errors.
>
> If I change dn.one to dn.sub, there is no errors at all.
>
> Could anybody explain, what modification needs to parent object?
man slapd.access(5),
one (synonym of onelevel) indicates all the entries immediately
below the <dnpattern>, sub (synonym of subtree) indicates all
entries
[...]
The add operation requires add (=a) privileges on the pseudo-attribute
entry of the entry being added, and add (=a) privileges on the pseudo-
attribute children of the entry's parent.
As a add operation requires read access the pseudo-attribute children,
you have to allow read access to to ou=personal,ou=groups,o=vega,
something like
access to dn.one="ou=personal,ou=groups,o=vega atts=children
or you allow all operations on the base ou=personal,ou=groups,o=vega
by
access to dn.subtree=ou=personal,ou=groups,o=vega
-Dieter
--
Dieter KlÃnter | Systemberatung
http://www.dpunkt.de/buecher/2104.html
sip: +49.180.1555.7770535
GPG Key ID:8EF7B6C6
53Â08'09,95"N
10Â08'02,42"E